Determine policy for trademarked modules and themes on Drupal.org

Here is an initial draft: https://www.drupal.org/drupalorg/docs/content/use-of-trademarks-in-proje... →

What is important about this trademark policy is there are fundamental legal constraints that we cannot go against, even if we would like to in our policies. Except in clear cases of trademark fair use, we have to comply with trademark owners requests.

Tried to outline the details of that, and our preferred choice of handling these things collaboratively, in the policy above.

Cross linked the above here: https://www.drupal.org/docs/develop/creating-modules/naming-and-placing-... →

Also updated here: https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or... →

and here:
https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or... →

I see 2 approaches here for a trademark holder to assert ownership of a module

1. First-party ownership. In the Fastly example, they had a team who worked directly on the module and could request it directly. Since there wasn't a policy at the time, they went through then CTO Josh Mitchell, to get the repo moved to their ownership. It was made easier by the fact that the existing maintainer didn't respond to the request within the 2-week timeframe.
2. Partner ownership. There are other instances where a large company may work with a Drupal partner to manage the 3rd party integration. In these cases, the partner doesn't own the trademark and cannot directly ask via the issue queue. In that case, an email from the trademark holder to the Drupal Association would be required. For transparency, it'd be good if the DA could act as a proxy, posting the trademark transfer request to the Site Moderators' queue on their behalf.

In either case, these requests should be exempt from the 2 week waiting period. It looks like the drafts Tim created (above) seem to satisfy these requirements.

Strongly not preferred: If the existing maintainer does not want the prior maintainer to have access to the repository, an exception can be made for DA Staff to change the project short-name - this *will* be disruptive to current users. The trademark holder can then create a new project with their trademark. 

I don't think this is technically feasible. With the exception of malicious projects/intentions (IE: if Dell made the "hp_api" module that redirected people to use dell products), the trademark owner who gains ownership should have the responsibility of ensuring drupal sites don't immediately go down due to transfer of ownership. They could decide to EOL the existing branch, or not maintain it at all, but at least it wouldn't cause current sites to immediately stop working.

If a maintainer is unwilling to work with a trademark owner, tuff beans. They lose access to their project. Hopefully, this would encourage infringing maintainers to work with trademark owners rather than dismissing them.

TBH - I think #10 is right - if there's any usage at all that option is potentially extremely disruptive.

https://github.com/composer/composer/issues/7557 is a feature request in Composer that might be worth trying to get some traction for, that might provide a method for a module to be shifted to a new namespace with limited breakage.

If we could get that in to composer we could follow it up with a call for maintainers to proactively rename their modules now to avoid this ever being an issue, and possibly could use it with a 'blackout' period to roll over a module to a new name if a Trademark claim does arise in the future.

I do think there may need to be some more documentation requirements for claiming the Trademark name, Github seems to have a good policy of requiring registration number which could allow it to be investigated up by the Site Moderators before acting. I've had the pleasure of having a Trademark filed by another person for a project name I created in the past, so I wouldn't put it past similar attack against a D.O. module.

Thinking Ahead:
Should a field be added to modules to indicate they have been taken over by a Trademark owner? This would allow the Site Moderators to easily see they should never transfer the module and that the module should never be included in any future 'open for adoption' type events.

I'm curious how far this will go for naming? Is the module name ever going to be considered fair use under this policy based on how the module describes itself or is the the fact it contains the Trademarked work at all going to be the sole requirement?

Some examples of module names for this discussion:
'paypal/paypal' (not currently possible with Drupal however I put it in for completeness of the examples to contrast with the other examples)
'drupal/paypal'
'drupal/commerce_paypal'

Which of these would the moderators consider infringing on Paypal's Trademark?

Note: I use PayPal above, however these examples really goes for any Trademark such a CKEditor, jQuery, Redis, etc.

@cmlara

Unfortunately I don't think it's up to us to consider whether a software extension name can ever use a trademark in a fair use way. The definition of fair use is up to legal precedent, not to our policy.

And because of that, the policy is not necessarily what I would *like* to have happen, it's more based on the legal realities we have to abide by.

That said, use of the trademark (imo, and I am not a lawyer) is not necessarily a violation unless the trademark holder has asserted that it is unauthorized. Many organizations are more than happy to have third party developers use their APIs to implement integrations which seems like tacit permission to me... but it's a complicated issue.

But if it came down to it, and Paypal's lawyers said 'You can't use our trademark in that module' or 'You need to give control of that namespace with our trademark to us' - I believe we would be legally obligated to comply.

And therefore I want to be explicit that this is a risk, so that module maintainers are more likely to use a more generic name or abbreviated name: drupal/pp or commerce_pp perhaps in these cases. The human readable name could also still contain the trademark without being a significant issue, because that *can* be changed - and the description can always describe the integration because that *is* protected by nominative fair use (describing compatibility).

Some examples of module names for this discussion:
'paypal/paypal' (not currently possible with Drupal however I put it in for completeness of the examples to contrast with the other examples)
'drupal/paypal'
'drupal/commerce_paypal'

All of those examples use trademarked names, and per the current draft would be subject to change of ownership. To go a bit further:

• paypal/paypal in the composer/packagist world, the vendor would be PayPal. If someone other than paypal took this name (likely in github), they'd be required to change it, per the github trademark policy.
• drupal/paypal This is probably the namespace most likely to be claimed by paypal if they wanted to have a say or contribute to a drupal connector. Would definitely fall under this policy
• drupal/commerce_paypal This is interesting. I'd say since 'commerce' is not a trademark in itself, the paypal team could ask for ownership. Additionally, if centarro didn't have a formal partnership with Paypal, they could lose control over a key module they maintain. Making the assumption they don't have a partnership, it'd be in centarro's best interest to make the project drupal/centarro_paypal to ensure they wouldn't lose maintainership access.

One thing that is nice about Drupal.org vs github is that you cannot simply delete your projects. As we go through this policy, we should remember not to repeat https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm

It's also probably less of an issue when it's something like commerce_paypal where it describes compatibility with an ecosystem, then when the shortname is simply an exact match for a trademark product name, like paypal by itself.

I'm not a lawyer either. I can understand the choice for the policy being 'on demand' (current draft policy) instead of 'on order of the court' being the choice to avoid involving in escalating legal issues. As always I strongly suggest running any legal document through council skilled on the subject before making any final decisions.

Since it is suggested to make this explicit and since it does not appear to have an appeal process may I suggest the following change to the draft policy:

Please note that the site moderators will not consider Fair Use arguments for a project shortname.

We strongly recommend against using trademarks in Drupal project names, especially in any part of the shortname/machine name of a project because that shortname/machine name cannot be changed without disruption.

If a trademark holder claims their rights for a project where the shortname contains their trademark  the project will be transferred to their control.

We will always attempt to encourage a trademark holder to work with an existing contributor, but we cannot enforce that. If the existing contributor and trademark holder are unable to work together, we can help to move the existing project to a new namespace not using the trademark. 

I would still suggest enhancements on the complaint filing portion so that a trademark owner has more responsibility to assert a valid claim may be helpful.

@Japerry brings up an interesting one:drupal/centarro_paypal, Technically Centarro AND PayPal would have a valid claim under the policy as currently written (and my suggested changes above make this even worse), however there is no way to avoid this scenario being possibly unless the D.O. Site Moderators are willing to accept an appeal from maintainers until court order is delivered (similar to DMCA Counter Claims, though that law doesn't apply to trademarks.)

I agree its not the most likely to occur, though a good policy should be prepared for these scenarios as well.

unless the D.O. Site Moderators are willing to accept an appeal from maintainers until court order is delivered (similar to DMCA Counter Claims, though that law doesn't apply to trademarks.)

That is not something site moderators can decide, as they can only follow what the Drupal Association decides and tell them to do.

The currently posted policy only strictly talks about ownership.

Should the policy be updated to note that if a Trademark owner raises objections thah site moderators may not add maintainer or co-maintainers?